5 Steps to Stay Secure in Wake of Heartbleed

It has been all over the news but unfortunately they have focused on the risks and not the ways to protect yourself and your business. Heartbleed is a security bug in a widely used open source cryptographic library. Simply stated, Heartbleed allows for a malicious actor to read sensitive data on unpatched servers, devices and related software such as the servers master key, form post data, session cookies and even passwords. It effectively means a malicious cyber-criminal can steal passwords, decrypt data, and otherwise gain access to your account and critical data. Some news sources point the finger at certain government organizations and unknown others exploiting this vulnerability for nearly 2 years.

It is worth noting that the software bug was quickly fixed on April 7th the very same day bug was publicly announced. I believe this shows the strength of the open source community and their dedication to fix known security issues. Let it be known that this doesn’t always happen with commercial software which can be months, years or never to patch known security issues. I will not point the finger but welcome you to visit the search engine of your choice to research this truth.

This serious bug requires of you as a user take some steps to maintain the security of your interaction with the many services you use on a daily basis. Keep in mind this related to many types of services, cloud service, email, Below I’ve created a simple list because I’ve received so many questions from customers, friends and family.

Check if the Service You Use are Patched

Not every provider is a judicious as those market leaders. There are numerous sites which detail the sites that have addressed this bug and therefore are now safe from this particular vulnerability. You can check with this handy link https://filippo.io/Heartbleed/ or get Heartbleed checker plugin for Mozilla Firefox or Google Chrome.
Noting as I did above the fix was available the same day as the public disclosure it is odd that so many lag behind on addressing this issue. If you find a service is still vulnerable weeks after the fix is available I’d think about finding another provider for the service in question.

Change Your Passwords

After checking if the service in question has patched the issue you can reset your password. Changing your passwords with some frequency and not using the same password everywhere is also just a good security practice. It bears repeating; each site should have a unique password — never reuse a single password everywhere. Remember to choose more secure password and couple that with a password manager which will make remembering it a no brainer. Again, we must assume the worst and change all of our passwords on any online services we use but while we do so we should also turn on 2FA, two factor or two step authentication.

Turn on Two Factor Authentication

As I’ve said many times before, everyone should be using two factor authentication on all of your sites and services that offer it. Unfortunately very few people are doing so. For more information check out my post on implementing two factor authentication on most critical sites and services. Two factor, AKA (also MFA, two-factor authentication, two-step verification, TFA, T-FA or 2FA) requires both your password and an additional code either sent via SMS (text message to your phone) or virtual(software based) applications such as Google Authenticator, Windows phone Authenticator, etc. Physical hardware based devices such as Symantec tolkens for Ebay/Paypal, Gemalto for Amazon AWS, Yubikey and many others. Most banks and financial institutions use the Symantec solution or offer their own. Either way, even standard SMS based 2FA is a positive step forward you should deploy immediately.

Use a Password Manager

Let’s face it, passwords are hard to remember and painful to manage. Why not get an application that would make it far easier to manage it for us? That is where password managers come in. They allow you to save all of your passwords in a encrypted password safe that is much more secure than that sticky note on your desk. Additionally, most of these applications will allow you generate more secure passwords for the sites & service you use. They can even remind you to use best practice and change it with some frequency. Like I always say, these are no panacea but a good step in the right direction when coupled with 2 factor authentication.

Recall that OpenSSL isn’t just used on servers but in many other applications and devices.. For example, your routers, firewalls, VPNs, desktop applications, smartphones, smartphone applications. Basically, anything that has the vulnerable version of OpenSSL will need to be patched. You can check your vendor for details about patches and apply them as the become available. As a general practice your organization should automate these processes to quickly address known risk and as an individual you should do the same. If the vendor you are working with fails to disclose a patch or information regarding addressing Heartbleed I’d call and open a ticket with them.

Heartbleed isn’t the end of the world but it is a very serious security vulnerability. Take these steps to reduce your personal and business risks and don’t be among those that suffer the consequences of this bothersome bug. Stay safe out there!

Joseph P. Guarino has a long history of producing business results with the application of information technology. Joseph's expertise span over 15 years in the private sector at leading technology firms and consulting organization. With Evolutionary IT, he saw a market need to bring his transformative knowledge and expertise to firms in the New England area and worldwide. Joseph is driven by a strong desire to see customer's thrive with the best business solutions. Evolutionary IT evolved out of this desire to bring a new level of quality IT solutions, align them with business goals and give customer's a competitive edge.

6 Responses to "5 Steps to Stay Secure in Wake of Heartbleed"

By Kate Burnside July 11, 2014 - 9:47 pm

The news of Heartbleed was certainly a wake up call for me to take my online security more seriously. Since the issue I have changed the majority of my passwords, and I have even started to use a password manager as this article recommends. I find it mind-boggling how this even occurred, when sites invest so much into encryption and security. Then again, there are plenty that seem to take their security for granted, and hence they have been compromised. With luck, this issue will make website owners more aware of their security in the future…

By Jamie Simpson July 18, 2014 - 12:51 am

It bothers me that people are so eager to exploit any cracks they can find in a security system for their own gain. The greed of mankind! When I initially found out about Heartbleed, I knew that changing my passwords was an essential step, which I had to take right away. However, since I’m literally hopeless at remembering new passwords, I decided to get RoboForm, which works surprisingly well in my opinion. With hope, this should be all I need to do for now, but I’m still going to make sure that all the sites I visit from now on, have the proper security measures in place.

By Benjamin C July 22, 2014 - 6:31 pm

Heartbleed has been a true eye opener for me. I used to assume that I was fairly safe when using online services, however now that I have seen how easily loop-holes in security can be utilised, I am far more alert as to the security of my accounts and certainly how strong my passwords are. In some way, I am thankful for the heartbleed as it has meant that I am now more secure than ever on the net, although I am angry that websites didn’t already have the proper security measures in place to prevent it from happening.

By Nuno May 9, 2015 - 7:08 pm

We all should be careful about the security of our data. Once I passed from such situation of heartbleed, immediately I changed all the password and turn on authentication for every access. Now I will also add one password manager as you suggest.